Mobile data security in health care organisations

Jason Holloway of SanDisk's Enterprise Division explains how confidential data in the NHS can be securely kept on mobile storage devices

For thousands of years, the Aborigines survived in one of the harshest landscapes on Earth by using ingenious tools - such as a stick that came back to the user if it didn't reach the intended target.

And over the past 18 months, many public and private sector organisations must have wished they had mobile data storage devices - USB memory sticks - that would do the same if the owner mislaid or lost them.

Employees enjoy the mobility and convenience that USB flash drives offer. But these benefits also mean that users take risks with data. It's not done with malicious intent: the vast majority of users know that security policies state they shouldn't copy data to the drive. But surely it'll be OK, just this once? After all, they're just trying to work more efficiently, aren't they?

Unfortunately, it's this kind of well-intentioned reasoning that leads to devices getting mislaid, with dozens of losses reported from Trusts and other public sector organisations in the past year. And unlike a boomerang, these USB sticks have yet to fly back to the users. So what can you do to prevent losses of this kind?

The first step is to realise that use of USB flash drives cannot be totally banned: they're very useful tools. But it does mean prohibiting the use of personal, non-authorised USB devices, and instead providing staff with a more secure USB flash drive that proactively protects against data leakage as well as malicious infection by worms and viruses. It also means supporting the drives with intelligent device management, data monitoring and central policy enforcement. Here are the key elements needed for a secure USB flash drive solution.

To stop data loss and leakage, the secure USB flash drives should feature hardware-based encryption and password protection. The drive should impose mandatory access control on all files, storing them in a 100% private partition that is AES 256-bit, hardware-encrypted and password-protected. This means data is always encrypted, irrespective of the user's actions. Also, the drive will lock down if a specified number of incorrect password attempts are made. This secures all stored data in the event of loss or theft.

The secure drives should also be controlled by management software to coordinate the complete lifecycle, from initial user deployment to password recovery, data backup, and remote drive termination.

Management features should include automatic mapping of drives to users; centralised control and distribution of security policies; full audit tracking of USB drive use, both on and off the network; remote installation of new software and updates to USB drives; scheduled and automatic backup of USB drive contents; compliance reporting using built-in and customized reports; and the ability to terminate lost drives.

Recent malware outbreaks have used USB drives as a method for spreading infection. So every file that is saved or copied to the drive should be scanned for malware. Also, the host must also be scanned whenever the drive is inserted - which demands an anti-virus engine on the flash drive itself. This stops the transfer of infected files to the drive. If the host is infected, the USB drive should automatically shut down.

A health organisation that has deployed secure USB flash drives to its employees is NHS Dumfries & Galloway. They have issued over 1,100 SanDisk Cruzer Enterprise USB flash drives with SanDisk CMC server software to protect transfers of otherwise unencrypted, personally identifiable data. The drives are used by staff across the organisation's 50 sites in Dumfries and Galloway in South West Scotland.

The drives and software were chosen in 2008, following an NHS Dumfries & Galloway initiative to implement stringent policies for safely storing patient data on PCs, laptops, PDAs and other mobile devices. Its IT team wanted to manage potential security problems before they happened, ensure that employees did not have to give up the convenience of carrying data on memory sticks, and to keep patient data password-protected and encrypted, as well as centrally managed and controlled.

"I've been in this business a long time, and I've yet to see a comparable solution that centrally manages the drive's complete lifecycle the way that SanDisk's CMC does. Simply put, we know that our data is now safe and secure. SanDisk has changed the way we work," said Graham Gault, Head of Information Management and Technology for NHS Dumfries & Galloway.

So in conclusion, it is possible to have both the convenience of USB memory stick usage, and fully-managed, always on security that stops your sensitive data going walkabout.